Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/22/2020
10:00 AM
Michael Piccalo
Michael Piccalo
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Implementing Proactive Cyber Controls in OT: Myths vs. Reality

Debunking the myths surrounding the implementation of proactive cyber controls in operational technology.

As the frequency of cyberattacks increases — often with a higher level of sophistication in order to evade detection — it's easy to see why organizations are investing in security technologies, such as automation, that can respond more efficiently to potential attacks after certain conditions have been met.

The effects of this risk can take many forms, including unauthorized disclosure of client data, loss of client trust, litigation, financial loss (including heavy penalties), and damaged brand reputation. While these impacts sound bad — and they are — they often pale in comparison to the potential implications of a breach in operational technology (OT) and critical infrastructure environments, which can also include safety concerns and loss of life.

Related Content:

Operational Technology: Why Old Networks Need to Learn New Tricks

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

By improving how they protect their IT networks, organizations can achieve more immediate risk reduction, shorten the time needed by defenders to counter an attack and maximize the use of investments and human resources. So, why do we often see less proactive efforts in OT?

First, the implications of inadvertently blocking a connection are likely not going to lead to a catastrophic event and so there is a bit more flexibility on where controls can be automated. Second, there is a higher rate of cyberattacks seen at the external perimeters than there are at the perimeter of the OT networks, which reminds us that controls on the business network are often the first lines of defense for OT. While both are valid reasons, it doesn't mean a higher level of cybersecurity maturity can't be achieved in OT environments.

Proactive controls in OT are nothing new. Thinking back to the days of the LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program, the consortium came together to evaluate application whitelisting, a security technology designed to maintain a list of authorized executable files and then automatically block the execution of any files not on that list. This is a great example, from nearly a decade ago, of proactive controls used in the higher levels of OT — and the business case wasn't much different than it is today.

When many people think of OT networks, they think of the sensors and actuators that do tasks, such as opening valves, turning on pumps, raising temperatures, and adding chemicals. These devices reside in Levels 0, 1, and 2 of the Purdue Model and are at the core of what monitors and controls that site. Because many endpoint security technologies, such as application whitelisting, are designed to be installed on IT-type devices, such as workstations and servers, these solutions typically are not applicable to these industrial assets residing in the lower levels.

However, there are many other supporting assets residing in Levels 3 and 3.5 (the OT DMZ) that are less critical and may include devices such as domain controllers, remote access jump boxes, antivirus and patching servers, historians (a historian collects data points over time from many different areas of the plant so decisions can be made on that data at a later point), and much more. This is a great potential area to begin proactive security improvements because it more closely resembles traditional IT-type devices supporting the OT environment — but more importantly, they often do not have a direct impact on operations. For these reasons, Levels 3 and 3.5 are a great starting point for automating cyber controls in OT.

Taking proactive steps in these levels provides some significant advantages over the adversary. A simple example might be leveraging a continuous network monitoring solution to detect malicious or anomalous traffic, which is where the business network traffic often comes through. Then, once activity is detected, an alert could be generated followed by the creation of a firewall policy to automatically block that host while simultaneously opening a support ticket assigned to the appropriate group for any follow-up actions. 

Another example could be when a new host, undefined in the network baseline, begins communicating with the human-machine interface or engineering workstation. An appropriate action may be to automatically block those unauthorized connections while, of course, also generating an alert and support ticket. These actions are prudent in today's environment and are just a couple of basic examples that leverage the benefits of automation.

Many Options
While some may hesitate at the idea of automatically blocking any communications on the OT network, there are many options, which depend upon one's comfort level. For example, in either of the previously mentioned scenarios, an alert and ticket could have been generated without implementing a block. Another option would be to automatically add or update any discovered assets to the configuration management database or to push critical events to the security information and event management system, disable unauthorized USB devices, change virtual LANs for an asset if certain criteria have not been met, validate and remediate antivirus, or patch compliance gaps for transient laptops. The options, while not endless, are certainly abundant and allow for a wide range of actions while taking advantage of existing investments the company has made.

Each of these is a step in the right direction toward proactive security in OT environments. In the end, it's about risk reduction and balancing the needs of the business while ensuring that the site continues to run — and run safely.

Any good cybersecurity program is not implemented overnight but, rather, can take years to get into place. Even then, it is a constantly evolving journey that requires adaptation to our changing times. But we cannot neglect OT networks as part of this journey, even in just taking manageable baby steps and working toward milestones in Levels 3 and 3.5 to meet the organization's security goals and objectives.

Michael Piccalo is the Director of OT/ICS Systems Engineering at Forescout Technologies. With over 25 years of experience in the cybersecurity industry, he worked on deploying some of the first firewalls protecting OT and critical infrastructure back in 2001 and served in the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.